Assume Role doesn't work as expected

[tomasz-bres]

I have credentials configured to use IAM Role.
IAM Role To Use is provided as full ARN (i.e arn:aws:iam::account-id:role/role-name)

The error I have
com.amazonaws.services.s3.model.AmazonS3Exception: The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID:

I checked user and role configuration with AWS CLI - it's working as expected (I'm able to use assumed role with CLI)

aws-credentials-plugin version: 1.28.1

[aldredb]

yep, i am experiencing similar issues as well. my error is The security token included in the request is invalid.

[beingamarnath]

Same here. This issue started occurring very recently. even for me. my error is The security token included in the request is invalid.

[slallemand]

Have the same issue as well.
From what I see, when "Assume role" is setup, once we start the pipeline, the plugin uses a different set of AK/SK.
I see that my AK starts with "ASxxxx" (also, the secret key changed).

Did someone find a workaround ?

[tomasz-bres]

As far as I remember, on Jenkins side you have to provide IAM user credentials (SK/AK). The IAM Policy attached to this user has to allow assumeRole action. Do not configure assume role on Jenkins
You also have to prepare IAM Roles that user can assume (trust policy)

Then configure assumeRole in Jenkinsfile like this:

withAWS(region: REGION, 
          credentials: BASE_CREDENTIALS, 
          role: BASE_ROLE+ '-' + REGION + '-' + stage_name , 
          roleAccount: '<account where IAM Role is defined>', 
          duration: 900, 
          roleSessionName: BASE_ROLE+ '-' + REGION + '-' + stage_name) {
            <actions to be performed with assumed role>
          }

Where:
REGION - AWS Region where actions are going to be performed
BASE_CREDENTIALS - ID of Credentials defined in Jenkins (the one for IAM User)
role - IAM Role name assumed by IAM User
duration - Temporary credentials TTL
roleSessionName - Just a name for this assumed role session.

It's not perfect because developers can change something but it works.
I moved this part to different repo where developers access is forbidden

[slallemand]

hello @tomasz-bres
Thanks for your reply. It works well.

What was not clear to me is the ability to specify an IAM ROLE in the AWS credentials ; not configuring it and specify the role in the steps works well.

[parkercameron]

I encountered what may be a related issue recently.

tl;dr; - You cannot use an AWS Credential with a Role ARN set with the withAWS pipeline step.

I created an AWS Credential with a Role ARN and attempted to use the credential in my pipeline via the withAWS step but I always received an AccessDenied message. After digging around in CloudTrail, I saw that this plugin was successfully executing AssumeRole but the pipeline step was still failing. In an act of desperation I had the pipeline run env | grep AWS to see what variables were being set.
It turns out that AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY values were set properly (they matched the access key id for the assumed role), but AWS_SESSION_TOKEN was not set. The missing session token explains why all the AWS API calls were failing.
The issue was that the withAWS step was filtering out the session token since it was only expecting IAM User access keys - the two plugins simply can't be combined in this way unfortunately. That being said, the workaround is to not use the Role ARN attribute of the AWS Credential and use the withAWS role assumption capabilities.
Hope this helps someone!